Configure Permissions for Remote Desktop Services Connections

Applies To: Windows Server 2008 R2

Remote Desktop Services permissions are used to control which users or groups can perform particular tasks on the RD Session Host server, such as logging on to the RD Session Host server or remotely controlling a user session. You can manage permissions on a per connection basis in Remote Desktop Session Host Configuration.

Note

To control who can connect remotely to the RD Session Host server, we recommend that you modify the Remote Desktop Users group. For more information about modifying the Remote Desktop Users group, see Configure the Remote Desktop Users Group.

The connection permissions that are set in Remote Desktop Session Host Configuration also determine the actions that a given user can perform in Remote Desktop Services Manager. For example, a user must have at least the Remote Control special access permission to remotely control a user session by using Remote Desktop Services Manager.

The following is a list of the permissions that you can set in Remote Desktop Session Host Configuration and the capability that each permission provides.

Permission

Capability

Query Information

Query sessions and RD Session Host servers for information

Set Information

Configure properties of the connection

Remote Control

View or actively control another user's session

Logon

Log on to a session on the RD Session Host server

Logoff

Log off a user from a session

Message

Send a message to a user session

Connect

Connect to another user session

Disconnect

Disconnect a user session

Virtual Channels

Use a virtual channel in a session, which provides local device and resource redirection

By default, the Remote Desktop Users group is assigned the following permissions: Query Information, Logon, and Connect.

There are three standard preconfigured sets of permissions:

Full Control

User Access

Guest Access

The following is a list of permissions that are associated with each of the standard preconfigured sets of permissions.

Use the following procedure to configure permissions for a connection.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

Under Connections, right-click the name of the connection, and then click Properties.

In the Properties dialog box for the connection, on the Security tab, configure the permissions as appropriate for your environment, and then click OK.

You can prevent administrators from changing the permissions for a connection by applying the Do not allow local administrators to customize permissions Group Policy setting. This Group Policy setting is located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC).

For more information about Group Policy settings for Remote Desktop Services, see the Remote Desktop Services Technical Reference (http://go.microsoft.com/fwlink/?LinkId=138134).